Protect WordPress Installation

As the administrator of a blog or a website with WordPress, you should invest some time in order not to be the target of a hacker attack in safety. In addition to regular updates of the WordPress core and plugins to the system should still elsewhere secure because the WordPress CMS is a popular target of hacker attacks, not that the system is inherently not very secure, it’s the contrary, the proliferation of WordPress which it makes itself a worthwhile goal because system to hack.

Here to make an overview of the most important points to secure the CMS, broken down by the different areas.

Adjustments to WordPress

  • Do not use the default user name: user, which are dictated by WordPress, you should avoid and create your own user, which also for the user “admin” is .. Since WordPress 3.0 you can now also the admin user a different name
  • Rename WordPress folder: a change in the WordPress folder is safer and creates something more order to the web space
  • Choose secure passwords: this should contain a mixture of uppercase and lowercase letters, numbers and special characters. More I need not mention because this is very important in other areas
  • Suppression of error messages on login page: if you enter an incorrect user or password, this will output by default, what you as an attacker already recognizes that users are there and which are not. With the following adaptation in the functions.php these error messages are suppressed:
  • Publish articles and posts under a user with author rights: if this account should be hacked times but the attacker does not have much rights on the system and thus can not do much with it
  • Regular updates: both WordPress and the plugin should be checked regularly for updates and install them. There are a variety of obsolete installations in the network, which can significantly jeopardize the security of websites and blogs
  • Regular backups help you with the unauthorized access to the previous system quickly restore
      • Remove WordPress version from source: Specifies the attacker cost as little information as possible


Protection at database level

      • Change table prefixes

During installation, you have the option to specify the prefix. If you have not been there, done this, you can do so easily, for example, directly through SQL:

This prefix must also be listed in the tables “options” and “usermeta” the value in these two tables are not changed since anchored, where this can happen is through SQL query:

This prefix also needs to be changed in the wp-config.php:

General server settings

      • Prevent access to folders and directories: Hackers should not get access to the folder, so a blank index.html or can be created to add the following line in the htaccess file in each directory either:

      • Protect the wp-config.php: this configuration file contains sensitive information for access to the database, the following should therefore be added to the htaccess:

Since WordPress 2.6, it is even possible to move the configuration file, one level in the file system. Thus, the wp-config.php is not directly in the WordPress installation directory and it is thus difficult it accessible.

      • Use a secure SSL connection: if the web hosting package supports SSL, this should also be used for a secure connection to the administration interface. This must be set up in Apache and enabled in the wp-config.php:

There are a number of other security measures, I think with this list are the main covered. There are also many plugins to make certain safety precautions for WordPress automatically or which can be configured individually.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">